A comprehensive examination of a Security program, Security Relevant System or Security Controls. Security Audits can be internal or external (3rd party). Security Audits are more comprehensive than security assessments as they require access to trusted information. It is important to understand the scope and covered period of a Security Audit to correctly interpret results.
A Security Audit conducted by personnel under the employ of the organization conducting the Audit. For example the Internal Audit Team and Security Compliance Team at GitLab conduct Internal Audits of GitLab's Security Program.
A Security Assessment is an activity in which a Security Program or portions thereof are investigated for fit and function. For instance GitLab conducts Third Party Security Reviews of our vendors. Security Assessments are less involved than a Security Audit and are generally conducted by an organization who is intending to procure services from another organization. GitLab supports Security Assessments for customers by publishing and maintaining the Customer Assurance Package. Customers and Prospects above a certain threshold can receive additional Security Assessment Support through the Customer Security Assessment Workflow.
A document that is meant to provide an overview of a Security Program or portions thereof. Security Questionnaires are routinely used during Security Assessments. An example of an industry standard security questionnaire includes the CAIQ which GitLab makes publicly available.